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'  •  Abstract 

We  consider  Jhe  following  problem:  Let  s  be  a  n-bit  string  with  m  ones  and  n  —  m 
zeros.  Denote  by  CEf(s)  the  number  of  pairs,  of  equal  bits  which  are  within  distance 
t  apart,  in  the  string  s.  What  is  the  minimum  value  of  C /£/(•),  when  the  minimum  is 
taken  over  all  n-bit  strings  which  consists  of  m  ones  and  n  —  m  zeros? 

We  prove  a.  (reasonably)  tight  lower  bound  for  this  combinatorial  problem. 

Implications,  on  the  cryptographic  security  of  the  least  significant  bit  of  a  message 
encrypted  by  the  RSA  scheme,  follow.  E.g.  under  the  assumption  that  the  USA  is 
unbreakable;  there  exist  no  probabilistic  polynomial-time  algorithm  which  guesses  the 
least  significant  bit  of  a  message  (correctly)  with  probability  at  least  0.725  ,  when 
given  the  encryption  of  the  message  using  the  RSA.  This  is  the  best  result  known 
concerning  the  security  of  RSA’s  least  significant  bit. 
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1.  Introduction 


This  paper  combines  a  combinatorial  study  with  (lie  application  of'  its  results  to 
the  analysis  of  a  cryptological  question.  (The  combinatorial  problem  is  fully  defined 
and  solved  in  Sec.  2.) 

1.1.  Cryptological  Background 

The  importance  of  the  notion  of  “partial  information”  to  cryptographic  research 
has  gained  wide  recognition  through  the  pioneering  works  of  Blum  and  Mieali  jBM]  and 
Goldwasser  and  Mieali  [CM].  In  this  paper  we  consider  a  much  more  specific  question: 
the  cryptographical  security  of  the  least  significant  bit  of  a  message  encrypted  by  the 
RSA  scheme  (hereafter  referred  to  as  RSA’s  l.s.b)  . 

The  RSA  encryption  scheme  was  presented  by  Rivest,  Shamir  and  Adleman  [RSA]. 
It  is  the  best  known  implementation  of  the  notion  of  a  Public  Key  Cryptosystem, 
which  was  suggested  by  Diflie  and  Heilman  [DH].  Encryption  using  the  RSA  is  done  by 
raizing  the  message  to  a  known  exponent,  e,  and  reducing  the  result  modulo  a  known 
composite  number,  N,  the  factorization1  of  which  is  kept  secret.  The  inverse  of  e  in 
the  multiplicative  group  is  used  for  decryption  and  is  kept  secret.  It  is  widely 

believed  that  the  RSA  is  hard  to  break.  This  means  that  an  adversary  who  does  not 
know  the  secret  (e~*  mod  <p(N))  will  not  be  able  to  compute  the  message  from  its 
encryption  (i.e.  to  invert  the  encryption  function). 

However,  even  under  this  unbreakability  assumption;  it  might  be  the  case  that 
the  RSA  leaks  some  “valuable”  partial  information.  I.e.  it  might  be  that  given  the 
ciphertext,  one  can  compute  some  function  of  half  of  the  bits  of  the  plaintext.  Proving 
that,  under  the  unbreakability  assumption,  this  is  infeasible  will  make  the  RSA  much 
more  attractive.  This  seems  to  be  a  high  tool.  Research  attempts  are  meanwhile  focused 
at  the  feasibility  of  guessing  correctly  the  least  significant  bit  of  the  plaintext  (i.e. 
RSA’s  l.s.b.)2. 

By  saying  that  RSA’s  l.s.b  is  p-secure  we  mean  that  guessing  it  correctly  with 
probability  at  least  p  is  as  hard  as  inverting  the  RSA.  Consider  an  oracle  that  when 
given  the  encryption  (using  the  RSA)  of  a  message  guesses  the  least  significant  bit  of 
the  message  correctly  with  probability  p.  Such  an  oracle  will  be  called  a  p-oracle  for 
RSA’s  l.s.b  .  Clearly,  the  existence  of  a  polynomial  time  algorithm  that  inverts  the 
RSA  using  a  p-oracle  for  RSA’s  l.s.b  implies  that  RSA's  l.s.b  is  p-secure. 

It  is  believed  that  RSA’s  l.s.b  is  (,j  +  «)-secure  ,  for  arbitrary  small  constant  e. 
Proving  this  statement  might  be  a  major  breakthrough  on  the  way  to  proving  that  any 
“valuable”  partial  information  about  the  message  encrypted  by  the  RSA  is  as  hard  to 
get  as  inverting  the  RSA.  Progress  towards  this  goal  has  been  slow  but  consistant,  in 
the  recent  years. 

1  To  be  exact,  <V  is  the  produce  of  two  large  primes,  p  and  q.  £•(•)  is  the  Euler’s  totient  function, 
thus  v(pq)  =  (p  -  1)(?  -  1). 

J  Nevertheless,  results  have  been  arhoived  also  w.r.t.  other  kinds  of  partial  information.  For  details 
consult  jllCS]  and  [VV2j. 
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The  first  stop  was  taken  l>y  (iohtwasser  Mieali  and  Tong  [< •  M'l'J  who  proved  that 

USA’s  l.s.b  is  (1  -  ^  (  secure,  where  |A’|  is  the  size  of  the  USA’s  modulus. 

Hen-Or,  C'hor  and  Shamir  greatly  improved  this  result  bv  proving  that  USA’s  l.s.b 
is  (;j  +  r)-secure,  where  c  is  fixed  and  arbitrary  small.  Their  paper  jlK'S)  contains  an 
algorithm  which  inverts  the  USA  function.  Their  algorithm  uses  a  ( ;[  )  t  )-ora<  le  for 
USA’s  l.s.b  {in  order)  to  determine  the  parities  of  certain  multiples  of  the  original 
message.  For  further  details  consult  [IK’S]  or  |W2|. 

Vazirani  and  Vazirani  [VVl]  have  presented  a  very  sophisticated  modification  of 

the  algorithmic  procedure  used  by  Ben-Or.  Chor  and  Shamir.  The  theme  of  their 

modification  is  a  much  better  use  of  the  oracle  answers.  They  showed  that  their 
modification  is  guaranteed  to  succeed  when  given  access  to  a  0  711-oracle  for  USA’s 
l.s.b.  Recently,  they  have  improved  their  analysis  by  showing  that  their  modification 
is  guaranteed  to  succeed  even  if  it  uses  a  0.732-oracle. 

Using  the  combinatorial  results  obtained  in  this  paper,  we  show  that  the  Vazirani 
and  Vazirani  algorithm  is  guaranteed  to  succeed  when  it  uses  a  0.723-oracle  for  USA’s 
l.s.b.  Other  observations  w.r.t  the  Vazirani  and  Vazirani  algorithm  as  well  as  w.r.t 
other  inverting  algorithms  are  also  implied. 

1.2.  Our  Results 

The  following  problem  occured  to  us  when  trying  to  improve  Ben-Or,  Chor  and 
Shamir’s  result  [BCS]: 

Let  s  be  a  n-bit  string  with  m  ones  and  n  —  m  zeros.  Two  bits  in  the  string  s 
are  said  to  be  t-close  if  they  are  within  distance  t  apart.  Denote  by  CEt(s )  the 
number  of  pairs  of  equal  t-close  bits  in  the  string  s  .  What  is  the  minimum 
value  of  CEt(-),  over  all  n-bit  strings  which  consists  of  m  ones  and  n  —  m  zeros? 

In  Sec.2  we  prove  a  (reasonably)  tight  lower  bound  on  this  combinatorial  problem. 
With  respect  to  proving  the  “amount”  of  security  of  the  least  significant  bit  of  the 
RSA,  this  is  a  double-edged-sword: 

(1)  It  provides  a  powerful  tool  for  analyzing  certain  algorithms  for  inverting  the 
RSA  using  an  (j  +  6)-oracle  for  RSA’s  l.s.b  . 

For  example  the  algorithm  proposed  by  Vazirani  and  Vazirani  [VVl]  is  shown 
to  work  when  it  uses  any  0.725-oracle  for  RSA’s  l.s.b  (i.e.  6=0.225).  This 
establishes  the  best  result  known  conserning  the  security  of  RSA’s  l.s.b  . 

(2)  It  points  out  the  weakness  of  various  proof  techniques  for  determining  the 
cryptographic  security  of  RSA’s  l.s.b  . 

For  example  the  Vazirani  and  Vazirani  algorithm  [Wl]  may  fail  to  invert  if  it  uses  a 
-oracle  for  RSA’s  l.s.b  . 

Th"«*  implications  will  be  discussed  in  Sec.  3  .  We  believe  that  the  combinatorial 
result  has  Jso  other  implications. 
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2.  Tin*  C  oinbinal orial  Results 

In  l ti is  section  we  give  a  formal  definition  of  the  combinatorial  problem,  discussed 
in  the  introduction,  and  prove  a  (reasonably)  tight  lower  bound  on  it. 

2.1.  Definitions 

I.et  a  —  (s„.  S|,  s-j. ...  s  iH  ,)  In-  a  binary  string  of  length  |s|.  We  denote  by  s //,(>: 
the  string  which  result  from  ,s  by  the  application  of  i  left  cyclic  shifts.  I.e: 

sh;[s)  =  («,-.*/.  |.s,-i2, i)  , 

where  indices  are  considered  modulo  j.s1. 

Define  the  i- overlap  of  a  string,  s,  to  be  the  number  of  positions  which  agree  in  s  and 
ah,(s).  The  /-overlap  of  a  will  be  denoted  by  orer,(.s)  ,  i.e. 

over,[ s)  =  II amming(s  =  sh,(s))  , 

where  =  denotes  tfie  bit  by  bit  equal  operation  and  U amming(s)  denotes  the  number 
of  ones  in  s  .  Note  that  over,(s)  —  |{j:  0  <  j  <  |s|  A  sy  =  s,Tl}|  . 

Denote  by  AverOver(s,f )  the  average  over  the  i-overlaps  of  s  for  z  £  {1,  2, ...  t}.  I.e. 

t 

H  ouer.(s) 

i=l 

We  remind  the  reader  that  CEt{s)  was  used  to  denote  the  number  of  pairs,  of  equal 
bits  which  are  within  distance  t  apart,  in  the  string  s  .  I.e. 

CEt(s)  =  |{(z,  j):  0  <  t  <  ;'  <  n  A  »,•  =  sy  A  j  -  t  <  <}|  , 

where  n  =  |  a  |. 

Clearly,  C£t(s)=£(=,|{j:  0  <  j  <  n  A  ay  =  ay+t}|.  Thus, 

CEt(s)  —  t  AverOver(s,t)  . 

When  evaluating  CEt(s)  consider  “lines”  which  connect  equal  t-close  bits  in  s  (i.e. 
positions  that  contain  equal  values  and  are  less  than  t  bits  apart  in  the  string  s).  These 
lines  are  hereafter  called  overlines.  Note  that  CEt(s)  is  nothing  but  the  number  of 
overlines  in  the  string  a. 

Let  n  and  m  be  integers  such  that  0.5n  <  m  <  n.  Let  6  =  .  We  denote 

by  S„  the  set  of  n-bit  binary  strings  with  m=(0.5  +  S)n  ones  (and  n  —  m  zeros). 

Denote  by  Aver(n,6,t)  the  minimum  value  of  AverOver(-,t)  divided  by  n,  when 
minimized  over  all  strings  in  5*.  I.e. 

Aver(n,6,t)=  rninse<;t  {  -E  ■  AvcrOver(s,t)  }. 

ft  is  straightforward  to  see  that  for  every  a  £  Si,  AverOver(a,n)=(0.5  +  2<52)n. 

In  this  section  we  study  Aver(n,<5,£)  for  arbitrary  t,  t<n.  We  obtain  non-trivial 
results,  as  the  surprising  fact  that  Aver(n,0,t)  converges  to  %/2  —  1  0.414  ,  when  " 

and  t.  are  large  enough. 


AverOver(s,  t)  =  ^ 
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2.2.  Propositions 

We  will  assume  throughout  this  section  that  t  ■  ',(;i  -  2)  .  We  will  analyze  Aver(  n.f'.l ) 

as  follows:  tirst  we  will  show  that  the  minimum  of  ( '/■,’/(  )  is  acheived  h\  - 1  r  i  1 1  -  which 
belong  to  a  restricted  subset  ol  .  ami  next  we  will  minimize  ('  /.,(  )  over  this  siib'ei 
'Phis  will  establish  a  lower  bound  on  Aver [u.O.t).  The  ti|>|ier  bound  will  be  implied 
by  the  proof  of  the  lower  bound,  since  this  proof  specifics  a  string  s  >'(  for  which 
Cl'.'t(s)  nt  Aver ( n, <’>,/)• 

2.2.1.  Reduction  into  a  restricted  subset. 

In  this  subsection  we  will  show  that  when  analysing  \ver(u.e,/)  it  is  enough  to 
consider  strings  in  .s'f(  which  have  the  following  property: 

The  string  contains  no  "short  .'{-alternations  substring”.  A  short  .i-altt  motions 
substring  is  a  substring  of  the  form  or'  o'  r  and  length  less  than  t  -  2.  where 
{ 0,  I } .  (Here,  and  throughout  this  paper,  o'  denotes  a  non-empty  string 

of  rr’s.) 

Proposition  i:  over,(s )  =  over,(shj(s )) 

Prop.  1  follows  directly  from  the  definitions  which  consider  strings  as  if  they  were 
cycles.  From  this  point  on,  we  also  take  the  liberty  of  doing  so. 

Proposition  2:  Let  Oj  6  {0,1},  for  1  <  j  <  2 1.  Let  o  be  a  binary  siring.  Let 
nT,T;i  =  CEt{o\Oy  ■  otT\  r  >Ot .  \  ot .  •> ■  ■  -o^i a)  .  Then  n  m  —  n<u  =  2( cr ,  —  o>t ). 

proof:  Note  that  the  difference  between  nT)T;  and  nTj7|  is  only  due  to  the  existence 
or  non-existence  of  overlirtcs  between  a \  and  T\  and  between  r>  and  oj„  .  Details  are 
left  to  the  reader. 

(Jut 

Note  that  switching  T|  and  r->  in  the  string  o\o>-  ■  otr\  r->ot .  \o, ,  ■  o\>ta  results  in 

the  string  0\0} ■■  ■otT}T\ot+\al  _2-  •  o^ict.  The  latter  string  has  more  ovcrlinos  (than  the 
former  one)  only  if  =  v>  T\  —  o>„.  Note  that  tlie  latter  string  has  less  overlines 
if  a,  =  r,  ^  t2  =  o2n- 

Proposition  3:  Let  a  be  a  binary  string  and  let  x,y,z,u  be  integers  such  that 
x  +  y  >  t  but  y  +  z  <  t.  Then: 

(i)  CEi(0TI0VT:~'0T0t)  <  CEt{oTioyT*oat). 

(ii)  CEt[oTz  oyrz  '1otou  V~Va)  <  CEt{oTzoyTzouTt  Va). 

(iii)  CE,(orzoyorzci)  <  C Et(oTzovTzoa). 

proof: 

I ’art  (i)  follows  by  switching  in  OTzoyrzoc\  the  o  on  the  l.h.s.  of  a  with  the  r  on  the 
1-h.s.  of  that  o\  and  recalling  Prop.  2.  (Notice  that  the  symbol  in  OTIoyr'on  which  is 
t  bits  to  the  left  of  “the  switched  r”  is  also  a  r.) 

Part  (n)  foil  ws  by  switching  in  OTzoyrzo',Tt''on  the  a  on  the  l.h.s.  of  ou  V  Va 
with  the  r  on  the  l.h.s.  of  that  o\  and  recalling  again  Prop.  2.  (Notice  that  the  symbol 
in  (TTz<7vTzauTl  Va  which  is  t  bits  to  the  right  of  “the  switched  a  "  is  also  a  o.j 

Part  (iii)  follows  by  z  sequential  applications  of  part  (i). 
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I  imposition  1:  I, cl  s  (_  lie  a  binary  si  ring  such  trial  CLj(.s)  \  !  Aver  /•/./) 
(i  e  ,s  i-  ;i  string  with  minimum  number  ol'  overlines  among  nil  strings  m  >'  .]  Then 
there  exist  a  string,  s'  t  >')'(,  such  that  : 

ji)  The  string  s'  eonlains  a  substring  of  the  form  10'  1  0  the  length  of  which  is 
at  least  I  f  2.'1 

In)  (  ’/./( s'l  ■  .  ('  f.'i(s)  f  l~ . 

proof:  Note  lirst  that  *  is  not  of  l  he  form  0  T  .  (Ot  her  wise  switching  the  ad  jaw  id 
0  and  1  in  s.  results  in  a  string  with  less  overlines.) 

Consider  an  arbitrary  substring,  a.  of  length  t  in  s.  Let  c  denote  the  number  of  zeros 
in  a  (t  -  z  is  the  number  of  ones  in  a). 

Case  1:  If  z  0  or  c  —  t  then  the  proposition  follows,  when  s'  —  s. 

Case  2  (0  <  Z  <  ():  Let  rr /  and  a n  be  the  bits  adjacent  to  a  in  the  string  ,s.  Replacing 
ct/cuth  by  rr /  0~  1  ^  :a//  in  the  string  s  results  in  a  string  s'.  Note  that  the  number 
of  overlines  within  z r/oo^  is  equal  to  the  number  ol  overlines  within  zt/.O'P  'an- 
Also  note  that  the  number  of  overlines  between  the  O' P  '-block  and  the  rest  of  s' 
(excluding  at  and  an)  is  at  most  ((/  —  1).  Thus,  C  Ef  (s')  <  C  Et(s)  —  l(t  —  1)  and 
the  proposition  follows. 


Proposition  5:  Let  s'  £  be  a  string,  with  minimum  number  of  overlines, 
which  satisfies  Prop.  4  .  Then  with  no  loss  of  generality,  the  string  s'  contains  no 
substring  of  the  form  10' 1  '  0  the  length  or  which  is  less  than  t  +  2.  Furthermore,  the 
string  s'  contains  at  most  one  substring  of  the  form  01*0*1  the  length  of  which  is 
less  than  t  +  2. 

We  remind  the  reader  that  CEt(s')  <  nfAver(n,6 ,t)  +  l ~  and  that  s'  £  S 

proof:  By  the  hypothesis,  s'  contains  a  substring  of  length  at  least  i  4-  2  which 
has  the  form  10  *  1  *0.  The  following  is  a  sketch  of  the  proof: 

Starting  at  such  a  substring  and  scanning  s'  cyclicly  (from  left  to  right)  we  apply 
switches  to  make  sure  that  all  scanned  substrings  of  either  the  form  10*  1  ‘  0  or 
the  form  01  0*1  are  of  length  at  least  t  4-  2.  We  stop  before  scanning  the  last 
unscanned  01*0*1  substring.  Noticing  that  the  above  process  does  not  increase 
the  number  of  overlines,  we  are  done. 

The  proof  proceeds  as  follows: 

By  Prop.  4j,|,  we  can  assume,  w.l.o.g,  that  s'  —  10*  COa,  where  i  +j  >  t  and  oG  (0,1}  . 
We  define  the  following  scanning  procedure  and  apply  it  to  s„<-nn  —  l$$0‘lJ$0a.  ($$ 
denotes  the  “starting  position”  and  $  denotes  the  “current  position”  in  the  scanning.) 


VV<-  remind  I  In-  render  that  a  f  denotes  a  non-empty  string  of  es. 
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proeedun  scanning  (o  ■)or'V'$')  i  r  yjr  a  A  nrursnu; 

[ff.f  t  {(>,!},  tr  ^  t,  ”)o.  ')!.')■>.  y.t  c.  {X.$$}  and  A\ ,  ;ij  t  {(),  I }  .] 
if  ■%  |  .  $$  then  return  (otj  o‘j  t  '  a  At  .f.)  ;  [terminates.] 

C ") i  X]  if  y -t  :  I  then  [considers  next  block.] 

rei  urn  (scanning  (rrr!,r  -;.tAjOy,r'  '))  ; 

[■)!  =  X  and  y  +  c  /]  [transfers  one  a .] 

return  (scanning(ery)T-rour$~)t  r~  ~  y>r: '  ,3\  )  ; 

end; 


It  is  possible  to  verify  that  the  string  seatiiiiiig(s>(  )  satisfies  the  statement  of  the 
proposition.  For  details,  consult  the  Appendix  (See.  (>. I ). 

Q,d 

Proposition  6:  bet  s'  £  be  a  string  as  in  Prop.  5.  Then  there  exist  a  string 
s"  €  •S'f,  such  that: 

(i)  The  string  s"  contains  no  substring  of  the  form  10'  1  0  the  length  of  which 

is  less  than  t  +  2. 

(ii)  The  string  s"  contains  no  substring  of  the  form  01  '  O'  1  the  length  of  which 

is  less  than  t  +  2. 

(iii)  CE,[s")  <  CE,{s')  +  t-. 

proof:  By  the  hypothesis  s'  has  no  10'PO  substring  and  at  most  one  01*01 
substring  of  length  less  than  t  +  2.  Assume  that  such  a  unique  0 1  ^0 ' 1  substring  of 
length  less  than  i  +  2  exists;  i.e.  y  4-  z  <  t.  Replace  this  substring  in  s'  by  the  substring 
00~  1 w  1  resulting  in  a  string  s" .  Note  that  s"  satisfies  both  (i)  and  (ii).  To  conclude  note 
that  CE((s")  <  CEt(s')  +  t2  —  t.  (The  number  of  overlines  within  0 1  y0c  1  is  equal  to 
the  number  of  overlines  within  00;lyl;  the  number  of  overlines  between  the  0'ly-block 
and  the  rest  of  s"  is  lest  than  t(t  —  1).]  The  proposition  follows. 

Qrd 

We  remind  the  reader  that  our  objective  is  to  given  a  good  lower  bound  on 
Aver(n,<5,<)=min,e  s-j  t^CEt(s).  Note  that  we  have  restricted  our  attention  to  strings 
that  donot  have  short  3-altcrnations  substrings;  i.e.  substrings  of  the  form  01 ' 0 + 1 
or  10  +  P0  which  have  length  less  than  t  +  2.  This  is  sufficient  since  there  exist  such 
a  string,  namely  s",  that  has  approximately  the  minimun  number  of  overlines.  I.e. 
CEt(s")  <  nt Aver(n,<5,f)+2£*.  Formally  we  define  to  be  the  set  of  strings  which 
belong  to  and  do  not  have  short  3-alternating  substrings.  Aver/f(n,<5,£)  will  denote 
minrGKi  niC^iir)-  Clearly, 

Proposition  7:  Aver(n,<5,t)<  Avcr/f(n,6,£)< Aver(n,<5,/)+ ^ . 

proof:  By  Prop.  4,5  and  6,  s"  t  R „  and  nlAver /((n,S ,£)<  CE/(s")  <  CE,(s)  + 
2 1‘  —  ■"*  Aver(n,<5,<)+2t2.  Thus,  the  proposition  follows. 

Qrd 

Let  us  define  even  a  more  restricted  subset  of  5f,:  The  set  A f/?f,  is  the  subset  of 
strings  which  belong  to  /?*  and  do  not  have  long  homogenous  substrings ;  i.e.  substring  of 
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l !»’  form  o'  ',  wliiTr  a  c  {0,  1  }.  Also,  Aver \u{(n.b,t)  will  denote  minr,  (r). 

bet  us  lirsl  give  a  tight  lower  bound  on  Aver \ni(n,b,t)  and  only  later  prove  that  this 
bound  is  approximately  also  a  bound  for  Aver/,-(ri, <“>,/). 

2.2.2.  Lower  bound  for  Aver <*>,/) 

Reeall  that  each  of  the  strings  in  MR1',,  C  S*t  has  the  following  properties: 

(i)  The  string  contains  no  short  3- alternat ing  substrings. 

(ii)  The  string  contains  no  long  homogenous  substrings. 

We  will  relay  on  the  above  properties  of  the  strings  in  AZ/ff,  in  order  to  bound 
Aver  \ut(n, t),t).  (diven  a  string  r  t  AZ/ff,  we  will  introduce  an  expression,  for  CEt(r), 
which  depends  only  on  the  numbers  of  bits  in  each  maximal  substrings  of  consecutive 
equal  bits.  In  other  words,  we  will  introduce  a  localized  counting  of  CEt(r). 

Definition:  We  say  that  6  is  a  block  (an  all-a  block)  of  the  string  r  if  it  is  a  maximal 
substring  of  equal  bits.  I.e.  b  =  o~  and  r  =  rbra,  where  r  ^  a  and  a  is  an  arbitrary 
string. 

Denotations:  Let  q  denote  the  number  of  all-zero  (all-one)  blocks  in  r.  Beginning  from 
an  arbitrary  position  between  an  all-one  block  and  an  all-zero  block  and  going  cyclically 
from  left  to  right;  number  the  blocks  of  consecutive  zeros  [ones]  by  0,1,2,. ..,(q  —  1)  . 
Denote  by  z,  the  number  of  zeros  in  the  z-th  all- zero-block  and  by  y,  the  number  of 
ones  in  the  z-th  all-one-block.  I.e.,  r  =  0'olVo0‘‘ •  (P''-1  lw,~* . 

Proposition  8:  Ovcrlines  occur  (in  r)  only  either  within  a  block  or  between  two 
consecutive  blocks  (of  the  same  bit). 

proof:  Consider  any  substring  of  the  form  10+1+(P  1  in  r.  By  Prop.  6,  the  length 
of  this  substring  exceeds  t  +  1  and  therefore  no  overlines  exist  between  the  extreein  l’s. 
Similiar  observation  holds  for  any  01  ‘ 0*1^0  substring.  Thus,  the  proposition  follows. 

Qcd 

Remark:  Note  that  Prop.  8  holds  even  if  r  £  Rn- 

This  suggests  to  evaluate  the  number  of  overlines  (in  r)  by  counting  the 
“contribution”  of  each  (homogeneous)  block  to  it.  This  counting  is  hereafter  referred 
as  the  Block-Localized  Counting  (BLC)  and  proceeds  as  follows: 

Block-Localized  Counting  (with  respect  to  a  block  of  length  l  in  r): 

(i)  The  number  of  ovcrlines  within  the  block,  denoted  /;. 

(ii)  The  number  of  ovcrlines  between  bits  of  the  blocks  neighbouring  this  block 
(i.e  the  first  block  on  its  left  and  the  first  block  on  its  right),  denoted  Z?/. 

Note  that  //  and  Hi  are  easy  to  evaluate  and  can  be  used  to  express  CEt(r).  Namely, 
Proposition  9: 

(i)  CE,(r)  =  Y.I  {,((/„.  A  Dv ,)  +  (/,.  +  ffj),  where  r  =  0*®1»0*'  1* •  •  0*'--*  1*-*. 

(ii)  For  /<*,/,=  and  Bt  =  £*"/,  t. 

(iii)  For  l  —  /,  1 1  —  and  /i/  =  0. 
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proof:  Pari  (i)  follows  by  observing  that  each  overline  is  counted  exactly  once. 

To  evaluate  Hi  consider,  w.l.o.g,  the  substring  00' 1*0*1 .  If  i  +  /  <  t  then  the  number 
of  overlines  between  the  leftmost  0  and  the  0’s  to  the  right  of  I*- block  is  I  —  (l  +  i). 
This  is  due  to  the  fact  that  (by  r  €  M It*,)  l  +  k  >  t.  Also  note  that  if  i  +  /  >  /  then 
there  are  no  overlines  between  the  leftmost  0  and  the  O  s  to  the  right  of  the  1* -block. 
Thus,  Di  =  £i=u  '(*  —  /  —  i)  if  Z  <  t;  and  Hi  —  0  otherwise. 

Clearly,  for  /  <  t  4-  1,  /j  =  (/,).  Thus,  the  proposition  follows. 

Q,,i 

Remark:  Note  that  for  />/,/<  —  +  (l  —  t)t  and  H,  =  0.  (Note  that  for  k  >  0, 

CEf(a,J'  *)  =  "’)  +  t  =  CE^a1)  +  kt.)  However  such  substrings  donot  exist 

in  a  string  which  belongs  to  M Rhn. 

Evaluating  //  +  Hi  we  get 

Proposition  10:  The  contribution  (to  the  BLC)  of  one  /-bit  long  block  (in  r)  is: 

/(i)  =  i2-(<  +  i)i  +  ^ 

proof:  Recall  that  r  €  M and  thus  l  <  t.  using  Prop.  9/tt»  and  9(Itl),  we  get 
/(/)  =  +  3 {t  —  l)(t  —  l  +  1)  and  the  proposition  follows. 

Qtd 

Note  that  the  contribution  of  all  the  all-zero  blocks  to  the  number  of  overlines  (in  r) 
only  depends  on  the  way  the  zeros  are  partitioned  among  the  all-zero  blocks.  (I.e.  it 
is  independent  of  the  way  the  ones  are  partitioned  among  the  all-one  blocks.)  This 
contribution  amounts  to: 

g{zo,  21,  ..,zq-\)  =  £’=0/(2.)  » 


where  r  =  0*°lw,021  lVl  ■  •  •  1  w<'_  1 . 

Note  that  g(-,  •)  is  a  quadratic  form  and  therefore 

Proposition  11:  For  fixed  q,  t  and  k,  the  minimum  value  of  the  function 
</(xo,  x\, ..,  xq-\)  subject  to  the  constraint  k  —  £’~qX,,  is  obtained  at  xq  =  x\  = 
••■  =  xl~l  =  |  • 

proof:  Note  that  g(x0,  xj, ..,  x,_j)  =  £-=o(x,?  -  [t  +  l)x,  +  =  £Lo  A  ~ 

(t  +  1)  •  k  +  %t(t  +  1)  •  q  .  Since  £’^o  z?  subject  to  k  =  £’Z,g  ij  is  minimum  when  the 
x,s  are  equal,  the  proposition  follows. 

Qrd 

Thus,  the  minimum  number  of  overlines  is  achieved  if  all  the  all- zero- blocks  [all-one- 
blocks]  ’re  of  the  same  size.  This  yields 

Proposition  12:  Let  Q  =  {q  £  Integers:  j  <  q  <  n  —  m}.  Then: 

ntAverMfl(n,6,t)  >  min^fq  •  (/(®)  +  /(^J)}. 
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We  remind  (lie  render  (lint  m  (0.5  |  fi)n  . 

proof:  Note  that  the  number  of  blocks  in  a  siring,  r  t  A /  /f ,  must  be 
proposition  follows  immediately  from  the  definitions  of  Aver the 
/(•)  and  </(•.  ■),  and  I’rop.  ( , 1 0  and  1 1. 

Klabornting  (he  r.h.s.  expression  of  I’rop.  12  we  get 

Proposition  lit:  Aver  \; /,■(*(. ^  min(/,  where 

<(‘l)  = 


i  i  in  a »  lv-'Ih 

„  <7  + 


i  *  i 
i 


proof:  <(/("')  4  /(",/")) 

+ i)-;;  +  r;1’ 


0’ 


+  '^) 
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Note  that 

Proposition  14:  The  minimum  of  the  function  hf,()  is  obtained  at: 


n  _  / 0.5  +  W*  .  . 

9mm  ■—  y  ,(t+|]-  * 


in  The 
funct  ions 


and  the  minimum  value,  is: 

v?  =  ^2  +  8*2)  •  £±I  -  »±I  . 

Thus,  Aver \i n(n,6 ,t)  >  u*.  All  that  is  left  is  to  derive  a  lower  bound  for  Averin, <5, 7). 

2.2.3.  Lower  bound  for  Aver/;(n,6,t)  and  Avcr(n,6,t) 

In  this  subsection  we  show  that  a  string,  r()  G  i?„,  with  minimum  overlines  can  be 
transformed  into  a  string  r'0  £  M R^,,  such  that  n'  n,  6'  ^  6  and  CE^r'0)  ^  CEt(ro). 
We  conclude  by  using  this  fact  and  the  lower  bound  for  Aver Mi{{n,6,t),  to  introduce  a 
lower  bound  for  Aver/;(n,5,t). 

Proposition  15:  Let  ry  £  /£*  be  a  string  with  minimum  number  of  overlines;  i.e. 
CEt(fo)  —  nt  Aver /[(n, 6  ,t).  Then: 

(i)  For  a  €  {0,  1},  either  r<)  contains  no  substring  of  more  than  t  consecutive  u’s 
or  r( |  contains  no  block  of  less  than  t  consecutive  ct’s.  Futhermore,  w.l.o.g,  ro 
contains  almost  one  substring  of  more  than  t  consecutive  o’s. 

(ii)  If  t  >  then  ro  has  no  substring  of  the  form  o‘u. 

(iii)  If  t  <  then  Aver(n,6,t)=2£. 

(iv)  If  t  >  then  there  exist  a  k  <  /,  a  S'  >  6  and  a  r(,  €  M/?£+t  such  that 

CE,(rn)>  CE,(r'0)-kt  . 
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proof: 

Part  (i):  Note  that  omitting  one  o  from  a  substring  that  emit  am'  more  than  '  r  - 
decreases  the  number  of  overlines  by  exactly  I.  Adding  one  r  to  a  bloek  of  k  a  s 
increases  the  number  of  overlines  by  /  il  k  '■  !.  and  by  h  "  than  '  il  A  •  '  Thus. 
w.I.o.g,  r(,  contains  at  most  one  subst  ring  of  more  than  t  r  s  \Im>  note  that  rn  <  an  not 
contain  both  a  substring  of  more  than  /  c  s  and  a  block  of  lc"  than  :  r  -  i  ( )t  her  w  im* 
omiting  one  o  from  the  first  substring  and  adding  it  to  the  m  <  ond  one  will  r«  -nit  in 
a  new  siring  which  is  also  in  R*n  but  has  les--  overdue'  than  tin  -tring  pi  Tin-  i~  in 
contradiction  to  the  hypothesis.)  Thus,  part  p)  ol  the  prupn-ii  ion  lolhovs 

Part  { i I ):  Assume  on  the  contrary  that  rn  contains  a  a ~  substring. 

Case  1  (rr  —  0):  Since  the  number  of  I  >  i>  at  least  .o  much  a-  the  number  ol 
0’s,  rn  contains  a  II  substring.  Omitting  one  of  the  ones  in  the  II  substring  and 
inserting  it  in  the  middle  of  the  t)/  O’1  substring  decreases  the  number  of  <>\<  i  lines, 
in  contradiction  to  the  hypothesis. 

i  .  /. 

Case  2  (cr  —  1):  By  part  (i)  above  and  since  /  >  j  r(,  contains  a  00  substring. 
Contradiction  follows  as  in  Case  1. 

Part  (iii):  Note  that  the  number  of  overlines  in  a  string  s  t  >’£  is  at  least  nt  2(  \  t  )nt  -4. 
2 Snt.  On  the  other  hand,  CEi((l,0)*  +  P)  —  nt  -  2 it.  where  n  =  i(t  *■  I )  +  j  Note 

that  if  t  <  then  such  a  string  exists.  Part  (iii)  of  the  proposition  follows 
5  d 

Part  (iv):  By  part  (i).  if  ro  contains  a  O'  *  *  substring  then  it  contains  also  a  P‘* 
substring.  Also  r0  contain  at  most  one  O'O'  [  1 f  1  block.  Thus.  w.I.o.g.  we  consider 
the  longest  1+  substring.  Let  l  denote  its  length.  By  part  (■■)  it  is  enough  to  eonsider 
two  cases: 

Case  1  (l  <  t):  Let  =  t-q,  k  =  0  and  S’  ■=  b.  By  the  above  r't)  •£  MR*, 

Case  2  (t  <  /  <  2t)\  Note  that  rn  contains  a  00  substring.  Let  k  —  2(  ■  i  and  r[, 
be  the  string  which  results  from  tq  by  the  following  procedure: 

add  k  ones  to  the  longest  1"  block  (yielding  a  1  block); 
i£  7-q  contains  a  0,+u  block  (when  u  >  0) 
then  do  begin 

omit  u  zeros  from  the  0f*u  block; 
insert  them  in  the  middle  of  the  l2f  block;  end 
else  do  begin 

omit  1  zero  from  a  00  substring; 

insert  it  in  the  middle  of  the  12>  block;  end 

Let  6'  =  6  +  Note  that  S'  =  •  *J  A|so  note  that  by  the 

above,  r'0  £  MR*l  +  k  and  C£t(r{,)  <  CEt[rn)  +  kt. 

Thus,  part  (iv)  of  the  proposition  follows. 

Q,A 
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Wo  conclude  l>y  lining  Prop.  la(lrl  and  (lie  lower  boimcl  lor  Aver  \/ /,•(  u  to  mtmdiuc 
lower  bounds  for  Aver it(n.t>.t)  and  Aver(/z,A./). 

Proposition  I  (> :  II  I  >  i f  then 


(i)  There  exist  0  <  A*  <,  /  and  t' 
Aver ^  Aver m n(n  -t  k,fi'.t) -  ' 

(ii)  Aver/,*(n,<5./ )>rf  -  '  . 

(iii)  A  ver(  »./>./ )  ~> I’f  -  . 

proof: 

By  Prop  ir>|,,)  ,  Aver  ,;(n.6j)—  J,  ('!:,( r()) 
Thus,  part  p)  of  the  proposition  follows. 

By  Prop.  13  and  I  I,  Aver  \i n(n  +  k,6',t) 

Combining  the  above  with  P 


<*>  sucli  that 


E,{r[\)  -  >  Aver  *  CiS'.M- 


1  / 


> 


rj1  .  Thus,  part  (ii)  follows. 


'rnr>  7  rv.irt  /  iiil  f/Al1n\juc 


/ 

// 


Qtd 


2.3.  The  Main  Results 

Throughout  this  section  we  assume  that  <  t  <  £(n  —  2)  . 

Lower  Hound  Lemma:  Aver(n,6,t)  is  at  least 

(V'(T+Mi)' ~p  _  lO)  _  JL  , 

proof:  The  Lemma  follows  immediately  from  P’rop.  14  and  16(„^  . 

Qed 

Upper  Hound  Lemma:  Aver(n,£,<)  >s  at  most 

(v^'+s^) ;  i+i _  Lti )  +  iii  +  j_  . 

proof:  The  Lemma  follows  from  observing  that  the  proof  of  the  lower  bound 
specifics  the  structure  of  a  string  which  achieves  minimum  CEt(  )  among  all  strings  in 
M /?£.  The  only  problem  in  constructing  such  a  string  is  that  non-integer  numbers,  of 
blocks  and  block  sizes,  may  appear.  However,  we  will  show  that  the  overlap  added  by 
the  round-up  of  the  number  of  blocks  is  less  than  ;  while  the  overline  added  by  the 
round-up  of  the  blocks’  sizes  is  less  than  -J, . 

Let  qmin  denote,  as  in  Prop.  14,  the  value  on  which  hf,(  )  is  minimized  and  let  u  = 
kmr<1  -  qmin-  Note  that  -  h*n{q„„„)  =  l'—  +  ~  9mi»  )' 

Thus,  /if,  ([</„„„])  <  h^(qmi„)  +  ~.  [A  better  bound  can  be  obtained  if  the 
number  of  blocks  is  rounded  up  to  [<7T„inJ-  One  can  prove  that  < 

^,(Wn)  +  0((^)2).l 

Consider  the  partition  of  the  zeros  among  the  q  zero- blocks.  Let  z  =  "---m  and 
assume  1/0  =  2  —  [2]  >  0.  Consider  the  partition  of  [ z\  zeros  to  each  of  the 
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first  ko  zero- blocks  ami  | 2]  to  cadi  ol  the  rest.  Note  that  "  I  /'o.  Deline 
d<>  =  (ko  •  f{[z\)  +  (q  -  A-(l)  •  f{\z}))  -  {q  ■  /(e)).  I 'si  up,  A„  —  (I  /'»)</.  [z\  -  2  -  1/ 
ami  [2]  =  2  -  i'  + ■  1,  we  get  </„  =  </((l  -  u „)(-  -  t  "0(2  -  i'n  4-  1  )L’  -  :2) 

qvf\{  I  -  i'd)  <  «/(*)“  <  () .  In  case  i'o  —  0,  let  An  -  i/  and  note  that  do  0.  The 
sai.K  applies  to  t  he  partition  of  the  1  s  and  I  he  e  vain  at  ion  of  d| .  Note  that  the  above 
part  it  ions  define  a  st  ring,  h,,  C  such  that  C’/i/fs,)  -  nt  ■  h^(q)  —  dtl  -t  d\  <  2  ■  J'  . 

We  codude  by  noting  that 

Aver (n,6.t)<  .  )  <  ,],(nl  •  hf,  ([<?„„■„  1)  +  +  J, . 


Evaluating  the  expressions  in  the  above  lemmas  we  get 

Corollary  1: 

(0/2-1-00)  <  Aver(n,0,/)  <  >/2  —  I  -f  0( )  +  0(~) 

(ii)  For  t  >  2500  and  n  >  300000  /,  Aver(n,0. 177,/)  >  .]  +  0.0001  . 

(iii)  For  t  >  500  and  n  >  10000  •  t.  Aver(n,0.225,f)  >  0.55  +  0.0001  . 

(iv)  For  every  2500  <  /  <  j^o  and  6  <  0.17f>  ,  Aver(?i/,Z)  <  |  • 

(v)  For  every  500  <  /  <  |(Kkio  anc^  ^  5;  0.22-1  ,  Aver(n/,Z)  <  1—2 6  . 

2.4.  Additional  Definitions  and  Results 

In  this  section  we  define  a  different,  yet  related,  combinatorial  problem.  Instead 
of  considering  the  average  overlap  over  all  “small"1  shifts;  we  consider  the  maximum 
overlap  obtained  by  one  of  the  “small”  shifts. 

Let  us  define  an  i-overline  to  be  a  line  which  connects  a  pair  of  equal  bits  which 
are  (exactly)  at  distance  i  apart. 

Denote  by  MaxOvcr(s,/)  the  maximum  over  the  t-overlaps  of  s  for  ?  €  {1,2, ..,/}.  I.e. 

MaxOver(s,/)=maX|<,<<  {  oner,(s)  }  . 

Denote  by  Max(n,6,/)  the  minimum  value  of  MaxOver(s,f)  divided  by  n,  when  minimized 
over  all  strings  in  S*n  .  I.e. 

Max(n/,Z)=  mtna65«  {  — -  •  MaxOver(s,f)  }. 

Clearly, 

Proposition  17:  Max(n,6,<)  >  Aver(n, <$,/). 

This  establishes  a  trivial  lower  bound  on  Max(n/,/).  We  donot  belcive  that  this  bound 
is  tight;  however  we  failed  to  prove  a  better  one.  On  the  other  hand  the  following 
proposition  yields  an  upper  bound  on  Max(n,0,Z). 

Proposition  18:  ((i)  is  folklore  and  (ii)  appears  in  van  Lint[L|) 

(i)  For  every  De-Bruijn  Sequence5,  «,  of  length  2*  and  every  *,  i  £  {1,2,  ..,k  —  1} 

4  fieri',  “email"  means  not  greater  than  t 

*  The  2*-hit  king  string  (*0’*i>*2<---i*2‘-t)  is  a  De-Hruijn  Sequence  if  (when  considered  in  circular 
order)  it  contain  as  substrings  all  possible  bit-strings  of  length  k. 
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orrr,(. s)  =  },  ■  2k  . 

(ii)  l  or  every  k  there  exists  ;i  Shortened  De-Hruijn  Sequence1’,  s,  of  length  2*  -  1 
such  that  Cor  every  i.  i  t  {1,2,  ..,2*  -  2}  , 

ot>«-,(s)  =  2‘  1  -  1  ss  1  ■  (2*  -  1)  . 

I'sing  F’rop.  18  we  also  obtain  an  upper  bound  on  Max(rt,<5,f);  i.e. 

Proposition  19:  [Here  q  is  an  integer.) 

(i)  For  t  +  1  =  /  =  2*  —  1 ,  n  =  ql  and  A  —  1  '<~n  ~  •  Max(r;.h,/)  <  ',  4-  6  —  -f  ~ . 

(ii)  Max(n,£,0 <Max(n,<5,t  +  1). 

(iii)  Max(n.6,l)<  .(  +  6  +  0(£). 

proof:  Part  (ii)  follows  easily  from  the  definition  of  MaxOver. 

Let  s  be  a  Shortened  De-Bruijn  Sequence  as  in  Prop.  18(„)  (i.e.  over,-(s)  =  2X"1  —  1, 
when  0  <  i  <  2k  —  1).  The  proof  of  parts  (i)  and  (iti)  consists  of  constracting  strings 
which  are  shown  to  have  “low  ’  MaxOver.  (These  MaxOvers  will  set  an  upper  bound 
on  the  coresponding  Max(-,  ■>■).)  The  constractions  use  the  string  s*  as  a  substring, 
where  k  =  log.,  P  Additional  l’s  are  used,  to  outnumber  the  zeros  in  the  constracted 
strings,  in  case  6  >  0.  Details  can  be  found  in  the  Appendix  (Sec.  6.2). 

Q,d 


2.5.  Historical  Remark 

The  combinatorial  results  presented  in  Sec.  2.2  and  Sec.  2.3  as  well  as  Corollary 
4  (of  Sec.  3.2)  were  obtained  during  September  1983. 

The  exact  statement  of  the  W-Theorem  was  communicated  to  the  author  on 
November  2 1st;  the  results  presented  in  Sec.  2.4  and  Sec.  3.2  were  obtained  during  the 
rest  of  November  1983. 


I 


8  A  Shortened  Di-Druiju  Sequence,  of  length  2k  —  I,  is  a  2k-long  De-Hruijn  Sequence  in  which  a  zero 
Inis  been  omitted  from  the  all-zero  blork  of  length  k  . 
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3.  On  the  Cryptographic  Security  of  the  l{SA‘s  L.S.B 

Jn  this  section  we  apply  the  results  of  the  prhioiis  Motion  i<>  the  analysis  of 
algorithms  which  invert  the  HSA  encryption  function  when  given  nor  css  to  an  oracle 
for  the  least  significant  hit  of  the  encrypted  message.  This  implies  results  (concerning 
the  security  of  USA’s  l.s.b.)  which  fall  into  the  following  three  categories: 

(i)  A  0. 725-securitv  result  (for  USA’s  l.s.b) 

(ii)  Conditional  improvements  of  the  above  result,  i.e.  results  which  will  hold  if 
some  conjecture  is  proven. 

(iii)  Bounds  on  the  possibility  of  improvements  using  current  techniques. 

3.1.  Specific  Background 

Our  0.725-security  result  is  based  on  Vazirani  and  Vazirani  work  [VVT],  which  is 
an  improvement  of  Ben-Or  Chor  and  Shamir  [BCS]  work.  In  this  subsection  we  sketch 
some  of  the  ideas  used  in  these  nice  works. 

3.1.1.  A  Sketch  of  Ben-Or  Chor  and  Shamir  Algorithmic  Procedure 

The  essence  of  the  Inverting  Algorithm: 

The  plaintext  is  reconstructed  ,  from  its  encryption,  by  running  a  g.c.d  procedure 
on  two  multiples7  of  it.  The  values  of  these  multiples  (as  well  as  the  values  of  all 
multiples  discussed  hereafter)  are  “small"8.  A  Modified  Binary  G.C.D  algorithm 
is  used.  To  operate,  this  algorithm  needs  to  know  the  parity  of  multiples  of  the 
plaintext.  Thus,  it  is  provided  with  a  subroutine  that  determines  the  parity  of 
these  multiples. (see  [BCS]) 

Determining  Parity  using  an  Oracle  which  may  err: 

The  subroutine  determines  the  parity  of  a  multiple  ,kx,  of  the  plaintext  ,x,  by 
using  an  -t- <5)-oracle  for  RSA’s  l.s.b  as  follows.  It  picks  a  random  r  and  asks 
the  oracle  for  the  parity  (i.e.  l.s.b)  of  both  rx  and  rx  +  kx  feeding  it  in  turn  with 
E[rx)  =  E{r)E{ x)  and  E{(r  +  k)x)  =  E(r  +  k)E(xf  .  The  oracle’s  answers  are 
processed  according  to  the  following  observation.  Since  kx  is  “small”  with  very 
high  probability  rx  <  rx  +  kx  .  Then,  the  parity  of  kx  is  equel  to  0  if  the  parities 
of  rx  and  rx  +  kx  are  identical;  and  equal  to  1  otherwise.  This  is  repeated  many 
times;  every  repetition  (instance)  is  called  a  /cx-measurement  (or  a  toss  of  the 
fcx-coin).  Note  that  the  outcome  of  a  fcx-measurement  is  correct  if  the  oracle  was 
correct  on  both  rx  and  rx  +  kx  .  The  outcome  is  correct  also  if  the  oracle  was 
wrong  on  both  queries  (but  this  fact  is  not  used  in  [BCS]). 


All  ,s  and  operations  are  considered  modulo  ,N ,  the  USA's  modulus. 

*  Here  and  throughout  the  rest  of  the  paper  “small"  means  bounded  by  a  very  small  fraction  of  the 
USA’s  modulus. 

*  H(M)  denotes  the  USA  encryption  function.  Recall  that  /•,'( A/ )  =  Mr  (mod  N),  whore  N  and  r 
are  respectively  the  USA’s  modulus  and  exponent. 
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(Trivial)  Measurement  Analysis: 

A  A-j-  coin  toss  is  correct  with  probability  at  least  2 6  . 

(This  snfliccs  if  <S  —  j  +  t  ,  see  [IK'S]) 

3.1.2.  A  Sketch  «f  Vazirani  and  Vazirani  Modification  of  the*  DCS- Procedure 


Distinguishing  a  Ciood  Coin  from  a  Had  one: 

for  (*)  <  J;  if  when  running  a  Monte-Carlo  experiment  on  a  Ari-coin  toss,  more 
than  a  1-26  fraction  of  the  answers  agree  on  some  value,  then  this  is  the  correct 
value. (In  such  a  case  the  coin  is  said  to  he  distinguish  ably  (mod.  See  jVVlj) 

Using  Distinguisliably  Good  Coins: 

Let  t  he  a  fixed  constant  .and  K  be  a  set  of  cardinality  0(log  A').  If  for  every  k  £  K 
there  exist  a  1  <  _/  <  <  such  that  the  ( j  ■  kx)-coin  is  distinguishahly  good  then  one 
can  determine  the  parity  of  kx.  (This  is  done  by  replacing  every  /ci-measureinent, 
of  the  subroutine,  by  a  set  of  0(loglog  A)  measurements,  see  [VVl]).  (The  above 
condition  will  be  referred  to  as  the  Distinguishability  Condition.) 

Vazirani  and  Vazirani  combined  the  above  sketched  ideas  to  an  algorithm  that  inverts 
the  RSA  using  a  (.-,  +  (fi)-oracle.  It  remained  to  be  shown  that  when  given  certain 
oracles  for  RSA’s  l.s.b  the  Distinguishability  Condition  holds.  In  [VVl]  Vazirani  and 
Vazirani  proved  that  the  Distinguishability  Condition  holds  for  any  0.741-oracle  for 
RSA’s  l.s.b.;  in  [W2]  they  improved  their  analysis  and  showed  that  this  condition 
holds  for  any  0.732-oracle. 


3.2.  Cryptographic  Implications  of  our  Combinatorial  Results 

It  is  easy  to  show  that  the  Distinguishability  Condition  is  equivalent  to  the 
following  condition,  hereafter  referred  to  as  the  Big- Advantage  Condition  :  for  some 
fixed  t,  Max(N,<5,f) >  1  —  26  +  e  . 

(Use  oracle  transformation  through  multiplication  by  the  inverse  of  kx  mod  N.  Note 
that  if  the  inverse  does  not  exist  it  is  feasible  to  factor  A’  and  inverting  the  RSA 
becomes  easy.)  This  was  also  observed  by  Vazirani  and  Vazirani  [W2], 

Thus,  we  can  summerize  Vazirani  and  Vazirani’s  [Wl]  work  by  the  following 

VV-Theorcm:  Let  N  be  the  RSA’s  modulus  and  t  be  a  fixed  constant.  If 
Max(A, <$,()>  1  —  2<5  +  c  then  any  ()>  +  <5)-oracle  for  RSA’s  l.s.b  can  be  used  to 
efficiently  invert  the  RSA.  (In  other  words:  if  the  Big  Advantage  Condition  holds 
for  6  then  RSA’s  l.s.b  is  (.j  +  <5)-secure.) 

By  our  results,  the  Big- Advantage  Condition  holds  for  6  >  0.225  .  Namely,  using  the 
VV-Theorcm,  Prop.  17  and  Corollary  !(,,,)  we  get 

Corollary  2:  Any  0.725-oracle  for  the  least  significant  bit  of  the  RSA  can  be 
clficiantly  used  to  invert  the  RSA. 
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In  other  words 

Theorem:  RSA’s  l.s.l).  is  0.72f>- secure. 

Note  that  the  result  of  corollary  1  (,„ )  is  tight.  Thus  under  the  condition 
Aver(n,6,t) >  1  -  2<’>  4  i  ,  the  result  of  Corollary  2  is  optimal.  However. 
Avcr(n,6,f)>  1  —  2d  +  <  .  is  more  than  is  needed  to  satisfy  the  Big- Advantage  Condition. 
(Reeall  that  the  Big- Advantage  Condition  requires  only  that  Max(n, <“>./)>  1  —  2d  -+-<.) 
Thus,  any  improvement  of  the  current  lower  hound  on  \lax(«,6,/)  will  yield  an 
improvement  of  the  result  of  Corollary  2.  We  heleive  that  Max(//.^./)  >  Aver(n,<5,/)  and 
thus  that  such  an  improvement  is  possible,  furthermore  we  conjecture  that 

Conjecture  l:  Max(n,(5 ,/.)«s  1,  +  6  . 

Combined  with  the  VV-Theorem  this  implies 

Corollary  3:  If  Conjecture  1  is  valid  then  RSA’s  l.s.b.  is  (s’  -f  t)-secure,  for 
arbitrary  small  fixed  e. 

Note  that  under  the  Big-Advantage  Condition  the  “result”  of  Corollary  3  is 
optimal.  This  is  due  to  Prop.  19|U1)  which  states  that  Max(n, <$,£)<  +  6  .  Thus, 
using  the  W-Theorein  (or  any  proof  technique  which  requires  that  the  Big-Advantage 
Condition  holds)  one  cannot  hope  to  prove  that  RSA’s  l.s.b  is  ^-secure. 

Let  us  conclude  by  pointing  out  that  the  full  power  of  the  results  obtained  in 
section  2.3  was  not  used;  however,  we  conjecture  that  it  can  be  used.  Namely, 

Conjecture  2:  Let  N  be  the  RSA’s  modulus  and  t  <  <  N.  If  Aver(/V ,6,t)>  5  -f  t 
then  any  (j  4-  <5)-oracle  for  RSA’s  l.s.b  can  be  used  to  efficiently  invert  the  RSA.  (In 
other  words:  if  Aver (N,6,t)>  g  +  e  then  RSA’s  l.s.b  is  (g  -f  5)-secure.) 

The  condition  of  the  statement  of  Conjecture  2  is  hereafter  referred  to  as  the  Average- 
Advantage  Condition.  By  Corollary  l(,q  ,  the  Average- Advantage  Condition  is  satisfied 
by  6  =  0.177;  thus 

Corollary  4:  If  Conjecture  2  is  valid  then  the  RSA’s  l.s.b  is  0.677-secure. 

Note  that  6  —  0.177  is  the  minimum  for  which  the  Average- Advantage  Condition 
is  satisfied.  Thus  no  progress  beyond  the  6  =  0.177  point  can  be  made  through  the 
Average-Advantage  Condition;  i.e.  when  relying  on  it  one  cannot  hope  to  prove  that 
RSA’s  l.s.b  is  0.676-secure. 

Note  that  in  Corollary  4  the  missing  part  to  reach  the  stated  result  is  the 
algorithm  that  will  use  the  analysis.  (The  analysis  of  the  question  which  oracles 
satisfy  the  Avarage- Advantage  Condition  is  complete!)  However,  in  the  case  of  the 
Big-Advantage  Condition  improved  results  can  still  be  achieved  (just)  by  improving 
the  analysis  of  the  combinatorial  problem  (see  Corollary  3). 
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■I.  Conclusion 

Te  Im\«'  solved  ;i  rnmbin.it orial  problem  and  have  shown  how  to  use  this  solution 
to  improve  knowledge  on  the  security  of  USA  s  l.s.h  .  We  have  also  pointed  out  possible 
directions  lor  further  improvement  of  our  result.  Improved  results  can  he  obtained  bv 
either  conducting  a  better  combinatorial  analysis  of  Max(-, or  by  suggesting  an 
inverting  algorithm  based  on  the  Average  Advantage  Condition. 

However  such  improvements  will  not  sulliee  to  show  that  USA  l.s.h.  is  secure. 
We  believe  that  any  improvement  in  the  results  concerning  the  security  of  R>  Vs  I  s  l>  , 
beyond  the  r.  point  (which  is  still  out  ol  reach),  must  make  use  of  additional  propcilies 
ol  the  USA. 
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6.1.  Details  of  tin*  proof  of  Crop.  5 

Recall  that  s'  ha**  the  miiiiimm  number  of  overdue^  aiming  all  Mnng-  which  r-atisl’y 
Crop  I  Also  recall  that  -  ]$$()’  I  ' $0<i.  where  /  ♦  j  *  !  and  s'  lO'l-'On.  The 

scanning  proetdurt  i>  hereafter  recursively  defined: 

proculurt  scanning  t'  '  ';jr  r.i]  •;,,*■)  rrcursni  ; 

[rr,  t  •:'_{().  I } ,  r  *-  r ,  ' (i .  -)| .  '•  (  f  {X.$'$}  and  ,i\ .  .i-  »-  {(),  1 }  .] 

if  •>)  —  t,:in  [terminate.] 

(1)  return  {c<7Tn'*7'  nif  .i>)  ; 

til  =  X]  if  y  a  ~  >  t  then  [consider  next  block.] 

(2)  return  (scanning  {rov  r:  §y,n  -•  t  d.,fT ';o7'r  ')); 

[-yi  =  X  and  y  ■+■  z  <  /]  [transfer  one  cr.] 

(3)  return  (scanning  (rryor  JaV$7i  r'  ’  'i>r'  ^1  t:\-h))  i 

m  d; 


Recall  that  s,f„„  is  the  argument  by  which  scanning  is  invoked  in  the  first  time.  Let 
sIV an  —  <T,"y{) '  r  denote  the  argument  of  scanning  in  its  t-th 


invokation.  (Clearly, 


Ml 

$>(*<  It 


it  is  easy  to  verify  the  following  claims: 


Claim  1:  Kxact ly  one  of  the  s  in  sir, i, i  is  a  non-empty  word  (i.e.  $$);  in  case 


i  —  1  it  is  "y [j* 1 .  The  number  of  $’s  in  s  sain 


is  exactly  3.  [Ry  induction  on  i. 


Denote  by  P'0  (non-empty)  substring  of  sl'.l,,,.  the  two  leftmost  symbols  of 

which  are  $  signs  and  so  is  its  rightmost  symbol.  Let  dt  —  1^^$ 7-$l  's  defined 
only  if  scanning  was  invoked  at  least  i  times). 


Claim  2:  If  d,.\  is  defined  then  d,.\  >  d,.  Thus,  scanning  terminates  after  at 
most  invokat ions.  (Note  that  both  commands  (2)  and  (3)  of  the  scanning 

proccdur  increase  the  distance  between  $$  and  $.j 

Claim  3:  x,  +  y.  >  l  [By  induction  on  i.] 

Denote  by  the  string  which  results  from  sir,,.,  when  omitting  the  $  signs  which 

appear  in  it  (i.e.  in  sl'run)-  Denote  by  T  the  number  of  times  scanning  was  invoked. 


Claim  4:  For  every  i  <  T,  if  y,  +  c,  >  1  ,hrn  N,',,,,1/  -  \,L r  [Nolire  that  in  case 
y,  -f  z,  >  t,  command  (2)  is  executed.] 


Claim  5:  For  every  i  <  T,  if  y,  +  £,  <  <  then  C /:,(.« <  C/-,’,(s"r( [Notice 
that  i>  case  y,  +  z,  <  t,  command  (3)  is  executed  Recall  Claim  3  and  Prop.  3jltI j .] 


ft) 


Claim  B:  s^n/ 

(ion  <  omlit ion. I 


I,!'/  ^  O  l~r  y-T  f7  y-  $.  [Consider  scanning  s  tormina- 


( 'ItiM  Ufitl  |,.<ju;i!  of  Mil.',  :  1 1  \1>W 


Definition:  We  sav  lli;il  /'i  is  a  troublesome  string  if  /*-• ,  /j-(  t-  {(),  1},  p\,p\  >- 

{0,  1,$}  .  i  t  y  <  I  and  v-  f>j .  for  all  1  <  j  <  3. 

Claim  7:  dors  not  contain  a  troublesome  string. 

Claim  H:  for  ('very  ?  <  T.  if  y,  l-  z,  t  and  -yit  does  not  contain  a 

troublesome  string,  then  ■S!s$/V/ -7-$  (*0<‘s  not  ‘on,am  :l  troublesome  string.  [Notice 
that  in  case  y,  +  c,  /.  command  (2)  is  executed.] 

Claim  9:  For  every  1  <  T,  if  y,  1-  z,  <  t,  7 1'1  —  X  and  ^  does  not  contain 

a  troublesome  string,  then  does  not  contain  a  troublesome  string.  Notice 

that  in  case  y,  a-  t.  command  (3)  is  executed;  however,  since  7*, 1  -  \.  the 

transferred  o,  is  not  in  'S$$/J/T<r  •] 

Let  j{;]3{:]  =  o 


$$/</■;/•$■ 


Claim  10:  If  7!,'*  =  $$,  yx  +  zt  <  t  and  s$$/(rr$ 

t  rrtii  K1  oerxm  o  cf  rin  rr  f  linn  11  .  -» t  >>  /  fV/xtn  (knl  if  -sJ* 


does  not  contain  a 


troublesome  string,  then  u,  +  o,  >  L  [Note  that  if  7!;  =  $$  then  sirlm  — 

0,  riX,f7f'^ri’  '•<71o1','r]'<Tl${)1*.  By  the  non-existence  of  a  troublesome  substring 

in  slz$ni.  ri'  we  have  1  +  u,  +  v,  >  t.  Note  that  1  +u,  +v,  —  t  leads  to  contradiction 
with  our  hypothesis  that  s'  has  the  minimum  number  of  overlines  (recall  Claim  3 
and  Prop.  3(,- ,•>).] 

Claim  11:  For  every  t  <  T,  if  y,  4-  z,  <  t,  7!,’'  =  $$  and  sL’l  does  not 

iPtP/l/-.  7  «P 

contain  a  troublesome  string,  then  does  not  contain  a  troublesome  string. 

[Notice  that  in  case  y,  +  z,  <  t,  command  (3)  is  executed;  however,  by  Claim  10 
the  claim  holds.] 

Claim  12:  For  every  ?  <  T,  contains  no  troublesome  strings.  (By 

induction  on  i.  using  claims  7,  8,9  and  11.] 

Combining  the  above  we  conclude  that: 

(i)  The  string  scanning(s,for))  is  well  defined.  [By  Claim  2.] 

(ii)  C  El(sranmng(s;,<.an))  =  CEt(s').  [By  Claims  4  and  5,  and  recalling  that  s' 
ha*-  minimum  overlines.] 

(iii)  The  string  scanning(s,,rafI)  contains  no  substring  of  the  form  10+140  the 
length  of  which  is  less  than  t  +  2.  Furthermore,  it  contains  at  most  one 
substring  of  the  form  01‘0fl  the  length  of  which  is  less  than  (  -f  2.  [By 
Claims  6  and  12.] 

Thus,  scanning(s,r,m)  satisfies  the  statement  of  Prop.  5. 
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6.2.  Details  of  the  proof  of  Prop.  19 

Let  s  be  a  Shortened  De-Bruijn  Sequence  as  in  Prop.  18, (i)  (i.e.  over,(s)  =  2k  1  -  1, 
when  0  <  i  <  2*  —  l). 

Part  (i):  Consider  the  string  s'  =  s'1' 1  if  Let  n  denote  the  length  of  s'  and  m  denote  its 
Hamming  weight  (i.e.  number  of  l’s).  Then  n  —  ql  and  m  --  [q  -  1)2*  1  +  2*  -  1  = 
U(g  4-  1  )l  +  q  —  1)-  Recall  that  6  —  --  .  Thus,  we  have  b  —  1  1  .  Note  that 

MaxOver(sV)— 9  ■  Let  us  show,  now,  that  MaxOver(s'd)<  MaxOver(sV)4  \(l  +  !)■ 

Note  that  s'  is  the  string  which  results  from  s''  when  substituting  one  of  the 
s  substring  by  a  1 1  substring.  Consider  the  change  in  the  (  overlap  under  this 
substitution. 

Let  Sj  denote  the  y-th  bit  in  s  ,  0  <  y  <  2*  —  I .  W.l.o.g,  consider  the  following 
two  cases: 

case  1:  (sy  =  sy*,-)  subcase  1.1:  (y  4-  i  <  2*  —  1)  substituting  s  by  lz  does 
not  change  this  i-overline  between  the  y-th  position  and  the  (y  +  i)-th  position, 
subcase  1.2:  (y  4-t  >  2*  —  2)  substituting  s  by  l1  can  only  eliminate  the  i-overlines 
between  these  positions  and  positions  in  the  neighbouring  substrings.  Note  that 
in  both  subcases  no  new  t-overlines  were  created. 

case  2:  (sy  =  0,  s_,,,  —  1)  subcase  2.1:  (y  4-  i  <  2k  -  1)  substituting  s  by  lz 
creates  a  new  i-ovcrline  between  the  y-th  position  and  the  (y  4-  i)-lh  position, 
subcase  2.2:  (y  4-  i  >  2*  —  2)  substituting  s  by  lz  creates  a  now  i-overline  between 
the  (y  4-  i)-th  position  and  the  y-th  position  in  the  neighbouring  substring.  Note 
that  in  both  subcases,  one  f-overline  was  created,  by  the  substitution,  pet  each 
position  y  .  Thus,  the  number  of  these  new  i-overlines  is  2t_1  =  %(l  4-  l). 

Thus,  MaxOver(s’,f  —  l)<MaxOver(s,,f  —  l)+y(/-f  1).  To  conclude  note  that  Ma x{n,6,l  — 
1)<  ±MaxOver(a',/  -  1)<  ^(g^1  +  -f  1))  =  \  4-  6  -  }  +  £ 

Part  (iii):  Let  k  =  [log^t  4-  2]  and  l  =  2k  —  1.  By  part  (ii)  and  t  <  l  —  1,  Max(n,<5,t)< 
Max(n,<5,/  —  1).  Let  m  =  (j  —  6)n  and  q  =  1  4-  [jrrryJ-  Consider  two  cases: 

Case  1:  ( b  —  m  —  ((q—  l)2t_1  4-  /)  >  l)  Consider  the  string  s'  =  s?_1l,0cl4,  where 
c  =  (n  —  m)  —  (g  —  l)(2t_1  -  1).  Notice  that  s'  £  and  that  MaxOver(s',f  —  1)< 
MaxOver(s,_1  lz,/  —  l)4-(b  +  c).  As  in  part  (i),  we  have  MaxOver(s9_1  ll,l  —  1)< 
q‘~Y  4-  4-  1)-  Note  that  n  =  ql  +  b  +  c,  m  =  (g  —  1)2*-1  4-  /  -f  b  and  6  = 

Thus,Max(n,£,/-l)<  ^MaxOver^V- 1)<  ^(g^1  +  \{l  4-  l)  +  &4-c)  = 
|  +  f  +  C  =  I  4-  6  4-  v,  where  i/  =  (1  4-  j 4-  ^  —  •}.  Note  that  c  < 
Therefore,  u  <  -  |  < 

Case  2:  (m  —  ((g  —  l)2t_1  +  l)  <  l)  Consider  the  string  s'  =  s9_1l60c,  where 
b  —  m  —  (q  —  1)2*_1  and  c  =  (n  —  m)  -  (g—  l)(2t_1  —  1).  Note  that  b  <  21,  c  < 
n  =  (g  -  1)/  4-  b  4-  c,  m  —  (g  —  4-  6.  <5  =  and  MaxOvcr(s',f  —  1)< 

(g  -  l)(2i_  1  -  1)  4-  6  4-  c  y-  /  =  0(2  4-  6)  4-  c  +  1  4-  /  -  g.  Thus,  Max(n,6 ,/  —  l)<  J  + 

x  ,  3/45  I 
6  +  TiT  ~  r 
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